Jens-Matthias Bohli

Bingo voting: secure and coercion-free voting using a trusted random number generator

It is debatable if current direct-recording electronic votingmachines can sufficiently be trusted for a use in elections. Reports about malfunctions and possible ways ofmanipulation abound. Voting schemes have to fulfill seemingly contradictory requirements: On one hand the election process should be verifiable to prevent electoral fraud and on the other hand each vote should be deniable to avoid coercion and vote buying. n nThis work presents a new verifiable and coercion-free voting scheme Bingo Voting, which is based on a trusted random number generator. As a motivation for the new scheme two coercion/vote buying attacks on voting schemes are presented which show that it can be dangerous to let the voter contribute randomness to the voting scheme. n nA proof-of-concept implementation of the scheme shows the practicality of the scheme: all costly computations can be moved to a non time critical pre-voting phase.

Secure group key establishment revisited

We examine the popular proof models for group key establishment of Bresson etxa0al. (LNCS 2248: 290–309, 2001; Proceedings of the 8th ACM conference on computer and communications security (CCS-8), 2001) and point out missing security properties addressing malicious protocol participants. We show that established group key establishment schemes from CRYPTO 2003 and ASIACRYPT 2004 do not fully meet these new requirements. Next to giving a formal definition of these extended security properties, we prove a variant of the explored proposal from ASIACRYPT 2004 secure in this stricter sense. Our proof builds on the Computational Diffie Hellman (CDH) assumption and the random oracle model.

(Password) authenticated key establishment: from 2-party to group

A protocol compiler is described, that transforms any provably secure authenticated 2-party key establishment into a provably secure authenticated group key establishment with 2 more rounds of communication. The compiler introduces neither idealizing assumptions nor high-entropy secrets, e. g., for signing. In particular, applying the compiler to a password-authenticated 2-party key establishment without random oracle assumption, yields a password-authenticated group key establishment without random oracle assumption. Our main technical tools are non-interactive and non-malleable commitment schemes that can be implemented in the common reference string (CRS) model.

Deniable group key agreement

Especially for key establishment protocols to be used in internet applications, the (privacy) concern of deniability arises: Can a protocol transcript be used—possibly by a participant—to prove the involvement of another party in the protocol? For two party key establishment protocols, a common technique for achieving deniability is the replacement of signature-based message authentication with authentication based on symmetric keys. We explore the question of deniability in the context of group key establishment : Taking into account malicious insiders, using a common symmetric key for authentication is critical, and the question of how to achieve deniability arises. n nBuilding on a model of Bresson et al., we offer a formalization of deniability and present a group key agreement offering provable security in the usual sense, deniability, and security guarantees against malicious insiders. Our approach for achieving deniability through a suitably distributed Schnorr-signature might also be of independent interest.

A framework for robust group key agreement

Considering a protocol of Tseng, we show that a group key agreement protocol that resists attacks by malicious insiders in the authenticated broadcast model, loses this security when it is transfered into an unauthenticated point-to-point network with the protocol compiler introduced by Katz and Yung. We develop a protocol framework that allows to transform passively secure protocols into protocols that provide security against malicious insiders and active adversaries in an unauthenticated point-to-point network and, in contrast to existing protocol compilers, does not increase the number of rounds. Our protocol particularly uses the session identifier to achieve the security. By applying the framework to the Burmester-Desmedt protocol we obtain a new 2 round protocol that is provably secure against active adversaries and malicious participants.

Weak Keys in MST1

The public key cryptosystem MST1 has been introduced by Magliveras et al. [12] (Public Key Cryptosystems from Group Factorizations. Jatra Mountain Mathematical Publications). Its security relies on the hardness of factoring with respect to wild logarithmic signatures. To identify ‘wild-like’ logarithmic signatures, the criterion of being totally-non-transversal has been proposed. We present tame totally-non-transversal logarithmic signatures for the alternating and symmetric groups of degree ≥ 5. Hence, basing a key generation procedure on the assumption that totally-non-transversal logarithmic signatures are ‘wild like’ seems critical. We also discuss the problem of recognizing ‘weak’ totally-non-transversal logarithmic signatures, and demonstrate that another proposed key generation procedure based on permutably transversal logarithmic signatures may produce weak keys.

Key substitution attacks revisited: Taking into account malicious signers

Given a signature sfor some message malong with a corresponding public verification key yin a key substitution attack an attacker derives another verification key

A subliminal-free variant of ECDSA

overline{y}